SuiteCRM – Broken SAML Authentication

PHP SAML Toolkit version has changed in SuiteCRM-7.8.2 which rendered existing SAML configurations broken. I also had the old version patched for SLO support. The patch proved difficult to port due to significant changes in the code and it didn’t make much sense either as the new toolkit version should have supported SLO out of the box.

Below are my short notes on how to migrate relevant SimpleSAMLphp IdP configuration to newer PHP SAML Toolkit version. Also included is SLO patch for SuiteCRM-7.8.18 LTS.

Contents

    IdP configuration

    SP entity ID and endpoint URLs have changed.

    SuiteCRM default SP entity ID has changed from php-saml to <SuiteCRM URL>/index.php?action=Login&module=Users.

    ACS URL has changed from <SuiteCRM URL>/index.php?module=Users&action=Authenticate to <SuiteCRM URL>/index.php?action=Login&module=Users.

    SLS URL should also be set to <SuiteCRM URL>/index.php?action=Login&module=Users.

    Change your configuration accordingly.

    SimpleSAMLphp example

    SAML 2.0 remote SP metadata for SimpleSAMLphp is in metadata/saml20-sp-remote.php. Here is the relevant part:

    ...
    $metadata["http://suitecrm.ipros24.ru/index.php?action=Login&module=Users"] = array (
    
    	"NameIDFormat" => "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
    
    //	"simplesaml.nameidattribute" => "email",
    	"simplesaml.nameidattribute" => "urn:oid:1.2.840.113549.1.9.1",
    
    //	"simplesaml.nameidattribute" => "uid",
    //	"simplesaml.nameidattribute" => "urn:oid:0.9.2342.19200300.100.1.1",
    
    	"AssertionConsumerService"	=> array (
    		array (
    			"Binding"	=> "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
    			"Location"	=> "http://suitecrm.ipros24.ru/index.php?action=Login&module=Users"
    		)
    	),
    
    	"SingleLogoutService"	=> array (
    		array (
    			"Binding"	=> "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
    			"Location"	=> "http://suitecrm.ipros24.ru/index.php?action=Login&module=Users"
    		)
    	)
    );
    ...
    

    SLO patch

    The included patch is for SuiteCRM-7.8.18 LTS but may also work with newer SuiteCRM versions. It has been tested with SimpleSAMLphp v. 1.13.2 SAML 2.0 IdP.

    NameSizeMD5
    SuiteCRM-7.8.18-SLO.patch2 KB9f95f630f05aef4195b2fd9f0aa7a845

    The patch also includes a fix for an infinite loop which occurs when an authenticated user doesn’t exist in CRM and PHP5 compatibility fix.

    To apply the patch on a Linux system run the following command in the SuiteCRM root:

    # patch -p0 <SuiteCRM-7.8.18-SLO.patch
    
    Posted in Software Tagged with: , , ,
    potato